|
|
| CVE-ID | ||
|---|---|---|
CVE-1999-1172 |
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
|
|
| Description | ||
| By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared. | ||
| References | ||
| Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete. | ||
|
||
| Assigning CNA | ||
| MITRE Corporation | ||
| Date Record Created | ||
| 20010831 | Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | |
| Phase (Legacy) | ||
| Proposed (20010912) | ||
| Votes (Legacy) | ||
| MODIFY(1) Frech NOOP(3) Cole, Foat, Wall REVIEWING(1) Christey |
||
| Comments (Legacy) | ||
Christey> The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one. CHANGE> [Frech changed vote from REVIEWING to MODIFY] Frech> XF:maximizer-enterprise-calendar-modification(7590) |
||
| Proposed (Legacy) | ||
| 20010912 | ||
| This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities. | ||
|
You can also search by reference using the CVE Reference Maps.
|
||
| For More Information: CVE Request Web Form (select "Other" from dropdown) | ||